Hackthebox Walkthrough — TartarSauce1 (User Shell)

Being taking the PWK courses and preparing for the OSCP exam recently. I got inspired a lot from many Hackthebox machines besides the pwk labs. So I decided to start writing some hackthebox retired machines walkthroughs (inspired from hackingarticles, infosec, ippsec’s youtube videos and etc, thanks for all of these amazing materials of Penetration Testing!)

Target: 10.10.10.88

Local IP:10.10.14.2

Nmap Enumeration

Nmap reveals only port 80 is open. Server banner : Apache httpd 2.4.18

we also discover the robots.txt

let’s try each one of these hidden directories

/webservices/tar/tar/source
/webservices/monstra-3.0.4
/webservices/easy-file-uploader/
/webservices/developmental/
/webservices/phpmyadmin

So we see only /webservices/monstra-3.0.4 works that has a valid web page

We always want to do directories fuzzing for web page. Let’s use gobuster this time to see if there are any hidden pages.

immediately we found a /wp wordpress page

Let’s check that out

Unfortunately nothing interesting on that page

Let’s focus on the Tartarsauce page

Try log in as Username: admin Password:admin (default)

And we successfully logged in ! Let’s try to see where we could upload a reverse shell

Looks like most items are read only

Run wpscan for more enumeration

searchsploit for the gwolle and we found a remote file inclusion vulnerability

Let’s create a php reverse shell and start our apache2 server

since we found out that the web server is appending wp-load.php at the end

So let’s change our file to wp-load.php

set up the netcat listener

and we found we got a reverse shell back

Let’s work on privilege escalation now!

Run linuxprivchecker.py and LinEnum.sh on /tmp

and we found this seems interesting that we can pwn the sudo privilege

And two users are running on the machine : onuma and root

Google the gtfobins and we found a shell command that could break out from restricted environments by spawning an interactive system shell

and we are onuma now

grab our user.txt flag!

But we still need to work on getting root privilege

To be Continue …